The right to dual-boot: Linux groups plead case prior to Windows 8 launch

In Windows 8, OEMs must allow Secure Boot to be disabled. They won't have to in Windows 10.

Red Hat, Canonical and the Linux Foundation have laid out a set of recommendations for hardware vendors in hopes of preserving the ability to install Linux on Windows 8 machines. Windows 8 machines should ship in a setup mode giving users more control right off the bat, the groups argue.

As we reported last month, Windows 8 computers that ship with UEFI secure booting enabled could make the task of replacing Windows with Linux or dual-booting the two operating systems more difficult. In order to get a “Designed for Windows 8” logo, PCs must ship with secure boot enabled, preventing the booting of operating systems that aren’t signed by a trusted Certificate Authority.

Hardware vendors can give users the option of disabling the secure boot feature—but they could also decline to do so, making it impossible to run a non-Windows operating system. In practice, it seems unlikely that dual-boot scenarios will be prevented entirely, but Linux vendors and the Linux Foundation are worried about how UEFI secure booting will be implemented.

Secure boot protects users, but may impede Linux

In a paper titled “UEFI Secure Boot Impact on Linux,” Red Hat and Canonical warn that “Microsoft’s recommended implementation of secure boot removes control of the system from the hardware owner, and may prevent open source operating systems from functioning.” Although Windows 8 isn’t expected to hit the market until later in 2012, the paper notes that hardware vendors could start shipping UEFI-enabled systems in Q1 2012 in preparation for Windows 8.

Red Hat and Canonical agree that UEFI secure boot brings security advantages in malware prevention by protecting against rootkits and in giving IT departments ability to dictate that only authorized OSes can be booted. But given the potential impact on the freedom to install Linux and other alternative operating systems, the open source vendors offer a few recommendations.

These include that “OEMs allow secure boot to be easily disabled and enabled through a firmware configuration interface,” that hardware vendors “provide a standardized mechanism for configuring keys in system firmware”; and that “hardware ship in setup mode,” giving the end user more control right up front.

How much control do users want?

This last recommendation could be problematic for hardware vendors attempting to give a clean out-of-the-box experience to users, the vast majority of whom simply want to use Windows and get the system up and running quickly.

Red Hat and Canonical argue that “If the process required to disable secure boot is difficult for non-technical users, then we risk restricting use of unsigned software to a small portion of the market.” One could also argue that Linux installations are already restricted to a small portion of the market, which tends to be technically savvy enough to work around the restrictions expected in UEFI-enabled systems. However, Red Hat and Canonical may be worried that future attempts to bring Linux desktops to the mainstream will be impeded.

In a separate paper titled “Making UEFI Secure Boot Work With Open Platforms,” the Linux Foundation makes a recommendation similar to the one offered by Red Hat and Canonical, saying “all platforms that enable UEFI secure boot should ship in setup mode where the owner has control over which platform key (PK) is installed. It should also be possible for the owner to return a system to setup mode in the future, if needed.”

The Linux Foundation further supports the establishment of an independent certificate authority to issue keys to third-party hardware and software vendors, presumably allowing Linux-based operating systems to be installed and still gain the security benefits of UEFI secure boot. (The Free Software Foundation has also weighed in with a petition directed at hardware vendors.)

Microsoft says there is no mandate

Microsoft, for its part, noted in a blog post last month that it does not “mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows,” but says UEFI secure boot addresses a pre-operating system environment that is vulnerable to attack.

“At the end of the day, the customer is in control of their PC,” Microsoft says. Without mentioning Linux by name, Microsoft said “For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision.”

Indeed, as we noted last month, the Windows 8 developer system built by Samsung and distributed at Microsoft’s BUILD conference contains the option to disable secure boot. Since few computers ship with Linux pre-installed, Linux groups hope that same option will be available on all Windows 8 systems, and that it will be easily accessible even for users who aren’t Linux experts.

I'm not particularly anti-Microsoft. I think their products have greatly improved over the last decade and I do use Windows.

But calling Linux, which has a release schedule that leaves MS choking on their dust, an "older operating system" takes some nerve. (I'm sure if they were called on this specifically, they'd cover themselves by saying that of course they meant XP and weren't even thinking about Linux at all. That's possibly even more insulting.)

And anything that makes it harder than it already is to run Linux on my own computers will make me rage.

If any OEM does not provide the "disable secure boot", it's the OEM being a douchebag, not Microsoft. Sort of reminds me of Sony and their laptops which had VT-x disabled in their BIOS with no option to enable it.

Geez, MS has done nothing wrong here. They are not recommending that hardware vendors remove the option of disabling secure boot. If the hardware vendors do this (and none have) then that is their own decision. And no vendor has even indicated that they will. This is a storm in a tea cup.

As for the recommendation that "hardware ship in setup mode", what does that mean? The computer goes straight to the UEFI setup screen on first boot? That is ridiculous, the vast majority of users would be freaked out by that. This will never happen, and so it shouldn't.

Anybody who wants to install Linux and doesn't know how to change a setting in the UEFI shouldn't be installing Linux, cause they are going to face more complex challenges than that down the road.

Make it easy to disable it? Sure. I don't have any plans to install Linux today but I'd look for that in new hardware just because.

Require every single user to go through a setup experience? Why on earth would that be good for the consumer (most of who are going to have no idea what UEFI is or know of the existence of Linux) or for the manufacturer who will get a flood of tech support calls over it?

What incentive might there be for a motherboard manufacturer and/or BIOS vendor to NOT include the function to disable secure boot?

1) The extra documentation and testing required.

2) The perception that their system isn't as secure as a competitors.

3) [Speculation on my part] Some extra strings attached by Microsoft that cuts certain Windows features if the UEFI isn't completely locked down.

The most bug-free feature is the one you don't have to ship, and if the manufacturers can minimize the boot options that's one less thing to worry about. That unfortunately puts the burden on the Linux market's sales numbers (ie. potential lost sales) to pressure them otherwise.

It should be a configurable bios setting. That's it, and the Linux people are insane if they think, “hardware ship in setup mode,” is going to happen in 2012. Computers for consumers need to just work. Making another dialog box 99% of users will not understand and spam click through is going in the wrong direction. Anyone who is going to be dual booting or installing another OS should be able to reboot and enter the UEFI and change the setting.

Also why can't an Linux OS get signed by a trusted Certificate Authority, then be able to be secure booted?

(I'm sure if they were called on this specifically, they'd cover themselves by saying that of course they meant XP and weren't even thinking about Linux at all. That's possibly even more insulting.)

Given the current XP install base, feelings being insulted suggests to me someone rather out of touch, self-centered, and/or something else.

The entire statement was about XP, Vista and Win7. Any corporate system *has* to ship with this setting as coporations will not migrate instantly to Win8, and it may take years for full validation. Thats why volume licensing includes downgrade rights.

As to Linux, seriously, have Red Hat certify a boot agent that can then strap a unsigned kernel into memory past the secure boot process. There are like a zillion potential workarounds, plus, seriously, instead of a single monolithic kernel, rearchitect it(no easy task I know) to seperate out boot portions from the rest, permitting a less frequently updated boot stack and the rest can be updated at will. Then have something like an annual cert that can be installed.

What incentive might there be for a motherboard manufacturer and/or BIOS vendor to NOT include the function to disable secure boot?

1) The extra documentation and testing required.

2) The perception that their system isn't as secure as a competitors.

3) [Speculation on my part] Some extra strings attached by Microsoft that cuts certain Windows features if the UEFI isn't completely locked down.

The most bug-free feature is the one you don't have to ship, and if the manufacturers can minimize the boot options that's one less thing to worry about. That unfortunately puts the burden on the Linux market's sales numbers (ie. potential lost sales) to pressure them otherwise.

Agreed. Unfortunately we are now entering into the era of locked down walled gardens. There are benefits to security. But there are costs to freedom. Of course, those with the knowledge/awareness never had issues relating to the security aspect. Alas those people are in the minority.

As a user of both Linux and MS products this is total crap that the open source community is dishing out. This has nothing to to with controlling what operating system is installed on a cpu and everything to do with secure booting. What makes people think Linux distro's would not want to take advantage of this same feature?

I think the setting for this should just be in BIOS where it belongs but the idea of an informative first-boot screen that allows it to be disabled isn't necessarily a bad one. Windows isn't really a part of my world, so things like this would be a mystery if I encountered them without reading an article like this first. It would also inform people who may not use Linux/etc at the time that they bought this computer that this protection exists and might prevent a very frustrating experience for people doing their first installs, provided they remember the message. Alternatively, the UEFI implementation could display a message when it blocks the new OS which explains what has happened and how to disable it. That might be a little better...only present an explanation of the option when it seems that it is needed. Still, I don't think a first-boot screen would be all that disorienting or concerning to traditional end users, provided that the screen provided an adequate explanation of what was going on and directed users who didn't understand to just leave it turned on.

Is it possible that the secure boot feature is a two way street? As in MS or software vendors or future media ecosystems will require secure boot to operate?

"Sorry, you cannot watch this video on Windows xx.xx because you didn't boot it securely, so you may have a (wink, wink, nudge, nudge) ""video copying virus"" and we cannot allow that ... signed: 'your friends at the various recording or video industry associations. ' "

maybe becuase the way its implemented only works with windows (so far)

It only works on [the yet to be released] Windows 8, and there is a path forward for others to follow. This squealing about butt hurt by Linux folks is, sadly, the sort of backwards, luddite-equse thinking that plagues so much of the community.

It should be a configurable bios setting. That's it, and the Linux people are insane if they think, “hardware ship in setup mode,” is going to happen in 2012. Computers for consumers need to just work. Making another dialog box 99% of users will not understand and spam click through is going in the wrong direction. Anyone who is going to be dual booting or installing another OS should be able to reboot and enter the UEFI and change the setting.

Also why can't an Linux OS get signed by a trusted Certificate Authority, then be able to be secure booted?

Even if "an Linux OS" was signed by "a trusted Certificate Authority", it would do no good for the majority of Linux users. The Linux kernel changes every time a commit is made to the git repository and everyone has different requirements. You can't do a single compilation and meet everyone's needs, especially if they want the latest code for one reason or another. Unlike people in the Windows world, Linux users are not used to waiting years before getting things like native USB3 support. If their distributions won't ship an updated kernel, they compile it themselves. Having a CA sign it simply won't work unless it is willing to sign everyone's binaries.

With that said, Windows users have bigger problems if someone can do this kind of thing in the first place. Implementing Secure Boot support in Windows is nothing more than an attempt to hide existing problems rather than fix them.

maybe becuase the way its implemented only works with windows (so far)

It only works on [the yet to be released] Windows 8, and there is a path forward for others to follow. This squealing about butt hurt by Linux folks is, sadly, the sort of backwards, luddite-equse thinking that plagues so much of the community.

But who says thats the best/only way forward ?

And from what I understand, you won't be able to install windows 7 or any other previous os on it.Windows 8 or later only.

Are the hardware manufacturers willing to open themselves to consumer law suits ?or to label the motherboards windows only ?

The OEM's need to provide a way to allow users to control their machines, and it goes beyond Linux.

I recently had to buy some new PC's that came with Windows 7 Pro and temporarily downgrade them to XP Pro due to software (Solidworks) we were running that had not been upgraded yet. We needed new PC's but the software wasn't ready for the new operating system. Also, I have deliberately installed Windows 2000 on new laptops so I could run PLC programming software that will not run correctly on any newer version of Windows. In my world, upgrading older industrial control software to the latest version of Windows can be cost prohibitive or is not available at all.

I guess I should buy a couple spare laptops and put them on the shelf...I sometimes have to run software that has not been updated in over a decade...

This has nothing to do with open source or Linux, and everything to do with giving the end user what is necessary to get the job done.

Seriously? Even if it did make it harder for Linux people to install Linux, who cares? Linux is less than 1% of the market share by most estimates, and even generous ones have never given it more than 2% marketshare. That's not enough of the market to warrent turning off an incredibly useful security advantage.

Besides, most of the manufacturers probably won't disable this, and if they do, then don't buy their machines. Simple. As most manufacturers are at least Linux neutral, I doubt they will disable this. I could see Sony doing this, but that's about it. And as Sony tends to be very OS focused (don't like upgrades/downgrades, etc...) people know what they get out them (though I love my new Vaio S series).

It should be a configurable bios setting. That's it, and the Linux people are insane if they think, “hardware ship in setup mode,” is going to happen in 2012. Computers for consumers need to just work. Making another dialog box 99% of users will not understand and spam click through is going in the wrong direction. Anyone who is going to be dual booting or installing another OS should be able to reboot and enter the UEFI and change the setting.

Also why can't an Linux OS get signed by a trusted Certificate Authority, then be able to be secure booted?

Even if "an Linux OS" was signed by "a trusted Certificate Authority", it would do no good for the majority of Linux users. The Linux kernel changes every time a commit is made to the git repository and everyone has different requirements. You can't do a single compilation and meet everyone's needs, especially if they want the latest code for one reason or another. Unlike people in the Windows world, Linux users are not used to waiting years before getting things like native USB3 support. If their distributions won't ship an updated kernel, they compile it themselves. Having a CA sign it simply won't work unless it is willing to sign everyone's binaries.

With that said, Windows users have bigger problems if someone can do this kind of thing in the first place. Implementing Secure Boot support in Windows is nothing more than an attempt to hide existing problems rather than fix them.

And yet, Windows changes every time someone does a commit at Microsoft. How frequently it changes is irrelevant; what matters is how frequently it changes for your distribution.

You may not be able to secure boot your roll-your-own distro. But you certainly could secure-boot Ubuntu, if they got a certificate.

Is it possible that the secure boot feature is a two way street? As in MS or software vendors or future media ecosystems will require secure boot to operate?

"Sorry, you cannot watch this video on Windows xx.xx because you didn't boot it securely, so you may have a (wink, wink, nudge, nudge) ""video copying virus"" and we cannot allow that ... signed: 'your friends at the various recording or video industry associations. ' "

It could be attempted but there are two basic problems with a creator/distributor trying to limit media to an entirely secured stack from the metal on up.1) Windows 8 is not REQUIRING their hardware to have this option, muchless have it enabled, to boot. It is just for gaining a marketing sticker. Microsoft would have to go the Apple Mac route, which requires making a huge change in how they interact with hardware manufacturers (something that would be very difficult to transition too, as underlined by their “older OS” comment, which is first and foremost about backward compatibility with their own OSes).2) The media, even if it had internal executing code, to ensure this is relying on the OS to provide the services that it needs to confirm the OS is legit. It boils down to “can I trust you?” “why sure you can trust me”. Time and again we’ve seen that this security just doesn’t hold up to mass distribution, the numbers are just far to against it to win at that game.

maybe becuase the way its implemented only works with windows (so far)

It only works on [the yet to be released] Windows 8, and there is a path forward for others to follow. This squealing about butt hurt by Linux folks is, sadly, the sort of backwards, luddite-equse thinking that plagues so much of the community.

But who says thats the best/only way forward ?

And from what I understand, you won't be able to install windows 7 or any other previous os on it.Windows 8 or later only.

Are the hardware manufacturers willing to open themselves to consumer law suits ?or to label the motherboards windows only ?

Exactly, all reasons why this noise from Linux community is entirely pointless….unless the goal is to continue to build and re-enforce the “self-centered whiners with an inferiority complex that want to live perpetually in 1982” stereotype.

I gather from a different blogpost (sorry, can't find it easily), that the "hardware ship in setup mode" isn't about showing users a complicated screen on first boot. Generally, the keys aren't meant to be set programatically (so malware can't authenticate itself). I think the idea behind the "setup mode" is that the first OS to boot can add it's own keys.

Einlanzerous wrote:

Seriously? Even if it did make it harder for Linux people to install Linux, who cares? Linux is less than 1% of the market share by most estimates, and even generous ones have never given it more than 2% marketshare. That's not enough of the market to warrent turning off an incredibly useful security advantage.

That's most certainly a higher percentage than the number of boot loader root kits in the wild.

Largely moot. Specifically: "If the process required to disable secure boot is difficult for non-technical users, then we risk restricting use of unsigned software to a small portion of the market." Current Linux implementations pretty much require some level of technical expertise to get everything working, and desktop implementations (not servers) are relegated to a small corner of the market. The idea is kind of laughable that "Joe Sixpack" will be able to respond to a BIOS prompt to either enter in their distribution's digital signature or set their BIOS to allow a "potentially insecure" configuration (or whatever language the BIOS manufacturer uses).

However, if the BIOS doesn't allow the ability to put in a digital signature other than Microsoft's screams Foul, and would likely trigger anti-trust activity. There are 1,000 settings in BIOS anyway, motherboard manufacturers might as well (and are likely to) allow addition of additional secure-boot signatures.

With that said, Windows users have bigger problems if someone can do this kind of thing in the first place. Implementing Secure Boot support in Windows is nothing more than an attempt to hide existing problems rather than fix them.

So your claim is what, that Windows is the only operating system with escalate-to-root privilege vulnerabilities?

I see this window-linux war intensified in the coming weeks, I'm not anti-windows, I use ubuntu too, but I think MS is desperate to get out of the market and its linux variants I love technology, I'm sure Lunix found and a solution for this. I seems to me that MS historically speaking it is happening as all the kingdoms, and compare it to the Roman Empire disappeared, as Hitler disappeared, it's time the same thing happens MS ... so let our "open minds" to be "open source"...

Also why can't an Linux OS get signed by a trusted Certificate Authority, then be able to be secure booted?

Some Linux OSes might manage, but "Dave's Mom's Basement Edition Linux" won't be getting signed heh. The concept of signed software is to make sure the software is legitimate. This suggests that many (most?) people don't consider Linux to be legitimate. Given the uptake numbers for Linux outside of a server room, it seems to pan out.

Of course, you could probably still buy a Mac and dual boot Linux. No Windows for sure that way *cue gnashing of teeth about Mac computer costs*

If any OEM does not provide the "disable secure boot", it's the OEM being a douchebag, not Microsoft.

This has to be quoted, as it's the truth.

skyhookpro wrote:

I see this window-linux war intensified in the coming weeks, I'm not anti-windows, I use ubuntu too, but I think MS is desperate to get out of the market and its linux variants I love technology, I'm sure Lunix found and a solution for this. I seems to me that MS historically speaking it is happening as all the kingdoms, and compare it to the Roman Empire disappeared, as Hitler disappeared, it's time the same thing happens MS ... so let our "open minds" to be "open source"...

Of course, you could probably still buy a Mac and dual boot Linux. No Windows for sure that way

I don’t see how Windows 8 wouldn’t be expected to boot on Mac hardware? Sure it won’t have a tacky little “Designed for Windows 8” sticker on it but I have trouble comprehending the amount of money that Microsoft would have to pay Apple to get Apple to do that, anyway.

UEFI's in particular are dirt simple GUI's now. The hardest part is knowing the exact moment to hit enter or delete or whatever key they felt like making it this week to get into it in the first place! If this goes through, in a few years googling "ubuntu doesn't boot os not signed" will probably give you a step by step on how to disable it. I'm not worried, as long as it can be disabled.